Dynamic ACL Reconfiguration for VRF

For a remote access solution (we connecting to our customers), we're using a 2821 which handles site to site VPN to various customers, as well PPP Dialup and routing for leased lines.

In order to avoid problems with overlapping IP ranges, we're using a VRF per customer. However, we're restricted in terms of who can connect where since access to a VRF is controlled by an ACL.

here's an example:

route-map VRF-Selection permit 23

match ip address 99 23

set vrf TERT

!

access-list 23 remark *** HOSTS for TERT

access-list 23 permit 195.141.121.159

access-list 99 remark *** NON-Existing IP for all VRF

access-list 99 permit 10.145.255.255

So, with the above configuration, the host 195.141.121.159 can access the VRF provided its routing table is adjusted properly (we have that under control). We have the "virtual" ACL 99 so that if we reconfigure the ACL granting access to the VRF (see below), the route mapping doesn't get lost.

Now, suppose a second host, 195.141.121.160 needs access to the same VRF - we can easily do that by connecting to the router, entering config mode, and add another permission to acl 23:

access-list 23 permit 195.141.121.160 0.0.0.0

So far so good. Where we get into trouble is once that second host should no longer be able to use the VRF Tert. Modifying the ACL 23 will result in the router dropping any and all connections.

For that not to happen, we need to first remove ACL 23 from the route-map VRF-Selection

route-map VRF-Selection permit 23

no match ip address 23

exit

Then completely rewrite ACL 23 from scratch

no access-list 23

access-list 23 remark *** HOSTS for TERT

access-list 23 permit 195.141.121.159

and finally re-enable acl 23 on the vrf

route-map VRF-Selection permit 23

match ip address 23

exit

Now I'm wondering, is there no way to get rid of the entry

access-list 23 permit 195.141.121.160 0.0.0.0

in acl 23 without dropping existing connections (other than those originating from 195.141.121.160)

Re: Dynamic ACL Reconfiguration for VRF

Thanks for your suggestion. Is there a minimum IOS release that I should look out for (I got locked out yet again so I need to find somebody on location to reboot the router before I can check out what version we have).

Also, deleting specific entries is but half of the problem.. the the other half stems from the fact that as soon as I change anything in the config the router drops all connections and needs a reboot.

I was told by the guy who initially set it all up, that a

route-map VRF-Selection permit 23

no match ip address 23

exit

no access-list 23

then re-creating the acl and re-adding acl to the route map would do the trick... turns out that once the 4th command has been sent, I'm disconnected and the router can never be reached again. Since I'm not changing any ACL that permits access to the router itself, I don't quite understand why this happens and how I can avoid it.

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
view more

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
view more

IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...
view more